The XOrg Server and Xwayland display implementations have been patched against multiple security vulnerabilities that could lead to heap overflows, out-of-bounds writes, or local privilege escalation.
A new X.Org Security Advisory was published today to warn users about CVE-2023-6816, a heap buffer overflow issue introduced in xorg-server v1.13.0 (released 2012), CVE-2024-0229, an out-of-bounds memory access issue introduced in xorg-server v1.1.1 (released 2006), and CVE-2024-21885, a heap buffer overflow issue introduced in xorg-server v1.10.0 (released 2011).
In addition, the new security advisory warns users about CVE-2024-21886, another heap buffer overflow issue introduced in xorg-server v1.13.0 (released 2012), CVE-2024-0409, a SELinux context corruption introduced in xorg-server v1.16.0 (released 2014), and CVE-2024-0408, a SELinux unlabeled GLX PBuffer issue introduced in xorg-server v1.10.0 (released 2011).
The CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, and CVE-2024-21886 vulnerabilities were discovered by Jan-Niklas Sohn from the Trend Micro Zero Day Initiative, while CVE-2024-0409 was discovered by Olivier Fourdan, and CVE-2024-0408 by Olivier Fourdan and Donn Seeley.
All these security vulnerabilities are now patched in xorg-server v21.1.11, as well as xwayland v23.2.4. These new releases should soon make their way into the stable software repositories of your favorite GNU/Linux distributions, so it’s wise to update your installations as soon as they arrive.
In addition to patching these vulnerabilities, the xorg-server v21.1.11 release also fixes an issue with XRandR to allow for multiple virtual monitors on a physical display. On the other hand, the xwayland v23.2.4 also contains several other fixes for glamor, libEI support, and FreeBSD systems.
Once again, this shows that the X server remains unpatched against many security vulnerabilities in 2024, so it would be highly recommended to use Wayland instead. Linux distribution maintainers are also advised to switch to Wayland by default in their systems if they haven’t done so until now or patch the X server.
Even if your distro is using Wayland by default, the Xwayland implementation is probably still used for compatibility with X11 apps, so you still need to patch your systems and make sure that the latest version is installed.
Image credits: XOrg Foundation
Last updated 1 month ago